[00:01.830 --> 00:07.550]  Hello, this is Forrest. I am here to speak to you today about some certain shenanigans that I pull
[00:07.550 --> 00:12.970]  off once a year with hacking college kids and telling you exactly how they do it wrong.
[00:13.170 --> 00:15.230]  Let's go ahead and get right into the slides.
[00:16.990 --> 00:22.110]  So, if you want more information about me, you're welcome to look at JRWR.io. I'd be happy to
[00:22.110 --> 00:26.850]  provide guidance. I have a contact page and sorts. You can get a hold of me on Twitter of sorts.
[00:28.770 --> 00:34.430]  So, what I do... well, I should say, who am I? Some of you have probably seen me floating around
[00:34.430 --> 00:41.790]  DEF CON before. I am Hachan, pretty much. Everybody knows me of this crazy hat of mine.
[00:41.790 --> 00:46.390]  It's a pith helmet with a Wi-Fi access point on it. Everybody generally loves it. But I've
[00:46.390 --> 00:51.110]  done a couple of other weird things over the years. Right now, I'm a Department of Defense
[00:51.730 --> 00:58.090]  subcontractor, cybersecurity auditor. So, pretty much, I do audits for small military
[00:58.750 --> 01:04.270]  manufacturers. You know, they make parts, whatever. And they do it terribly, usually.
[01:04.890 --> 01:10.530]  It's rather boring, though. If you want to look up that in tomfoolery.
[01:11.370 --> 01:17.630]  At one point, I was a Dogecoin mining pool operator for a fundraiser for the Doge car.
[01:17.630 --> 01:21.970]  That was also awesome. And that's also where the pith helmet comes from. It was way back then.
[01:23.370 --> 01:27.490]  As you can see, the Doge car was amazing. You should Google it. There's some videos
[01:27.490 --> 01:32.110]  out there of me, you know, being chased with a beer cooler because I had to steal it for
[01:32.110 --> 01:38.430]  some ice shenanigans. But for this talk, the really relevant is that I've been a red team
[01:38.430 --> 01:45.170]  member for NECCDC for about three years now. It's Northeast Colgate Cyber Defense Competition.
[01:46.890 --> 01:53.290]  The basics of the competition is that there is a blue team, which is college students,
[01:53.810 --> 02:02.370]  being thrusted into a network of sorts, right? A standardized business network that they would
[02:02.370 --> 02:10.590]  come across. And they have to do all the things. So, it's several teams of students from local
[02:10.590 --> 02:17.890]  regions for the Northeast Corridor. And there's others for each region. And so,
[02:17.890 --> 02:26.070]  they're kind of like an emergency blue team, right? So, they come in and they have to
[02:27.550 --> 02:31.990]  fix the network, whatever's wrong with it, right, to get it stable. They have a list of services
[02:31.990 --> 02:39.870]  that they have to keep online. We've already been given about an hour already to attack them as red
[02:39.870 --> 02:44.510]  team before they could even get hands on keyboard the night before. So, we've got all of our
[02:44.510 --> 02:53.070]  implants in place to make sure they're nice and pwned. Generally, it's a two-day event.
[02:53.550 --> 03:01.470]  The red team is a group of chosen pen testers and infosec nerds. Generally, it's from mostly
[03:01.470 --> 03:04.910]  people who've been working with a professor that's running at Daryl Johnson, at least for
[03:04.910 --> 03:10.810]  the Northeast Corridor. Daryl's great. He goes to RIT, Rochester Institute of Technology,
[03:11.630 --> 03:18.230]  and they run the red team. So, there are other teams of, you know, black and white support
[03:18.230 --> 03:23.750]  as well. White teams is, you know, people in the rooms that help the teams out, kind of,
[03:23.750 --> 03:28.910]  you know, just basic support roles, filing tickets if something explodes, things of that sort,
[03:28.910 --> 03:33.850]  things get fired. The black team is the one who actually manages the infrastructure,
[03:34.350 --> 03:38.010]  making sure everything's up and running and such. They generally have physical hardware
[03:38.010 --> 03:41.770]  that they're dealing with. The previous one, they did not, of course, because it was virtual, but
[03:42.330 --> 03:45.990]  the last two years, which is what we'll be covering, 2019 to 2018,
[03:46.910 --> 03:51.370]  it was in person, and we could really futz with the hardware, with implants.
[03:52.850 --> 03:59.210]  So, on top of defending themselves from red team, they also have to do other things that are worth
[03:59.210 --> 04:03.770]  points, and some of it's worth a lot of points, right? There's incident response,
[04:03.770 --> 04:11.570]  right? So, they have to write up a report stating that, you know, this is how we were compromised,
[04:11.570 --> 04:14.970]  or this is what happened, you know, this is the current state of the system, this is what we did
[04:14.970 --> 04:21.690]  to fix it, and such. These are called injects. Maybe it's a request from the CEO to do something
[04:21.690 --> 04:28.450]  like change his password or allow him VPN access. Black team's always throwing them new stuff to do.
[04:29.210 --> 04:32.870]  Those are worth a good amount of points. Those are considered daily operation stuff, right?
[04:32.870 --> 04:36.650]  Stuff you'd have to do on a day-to-day basis as somebody who is blue team,
[04:36.650 --> 04:46.310]  or just general IT in the network. So, then, from there, scoring is really based off of how long
[04:46.310 --> 04:51.890]  red team had access, the reports made, and the services kept alive, and the scoring of
[04:51.890 --> 04:56.790]  the services is automated, and we futz with that as well, you know, ARP spoofing and such.
[04:58.270 --> 05:06.970]  So, the first hour that we get access to the network, we infect everything. We have all of
[05:06.970 --> 05:11.590]  their passwords in a table already, so we have scripts in place, first thing we do is hit enter,
[05:11.590 --> 05:17.650]  infects everything that we can get a hold of, and we do all the crazy. Cobalt strike,
[05:17.650 --> 05:23.450]  which a lot of you might know from your toolkits, was actually written for NECCDC by Raphael Mudge,
[05:23.450 --> 05:27.210]  great guy, by the way, if you ever meet him at DEF CON, he does float around there.
[05:27.890 --> 05:33.770]  Dude is crazy good at it. He does these DNS slow burn beacons, so he will stack
[05:33.770 --> 05:38.250]  beacons on top of one another, so he will do these really fast HTTP beacons,
[05:38.250 --> 05:43.290]  but then he will have these beacons for, like, a special domain that he's only registered for this,
[05:43.290 --> 05:48.590]  where it only pulls once every six hours, right? So, if they haven't removed it from the system,
[05:48.590 --> 05:53.170]  they're not going to notice the traffic, and then he uses that to pivot more beacons into
[05:53.170 --> 05:57.550]  the system for the faster ones, and that's the ones we work off of generally. He provides
[05:57.550 --> 06:05.430]  the team server, and we, you know, futz with the system from there. He does, you know,
[06:05.430 --> 06:14.190]  DNS fronting, IMCP pings, beacons, IPv6-based beacons we've done once before. That was fun,
[06:14.190 --> 06:21.330]  because the Palo Altos don't filter that very well. But if you use Cobalt strike,
[06:21.330 --> 06:27.230]  now you know why some of the features are like the way they are, because in all reality,
[06:27.230 --> 06:33.450]  you know, at least from what I understand from Mudge, it was written for NECCDC, and it was
[06:33.450 --> 06:39.750]  solving a problem that Armitage just wasn't solving, right? So, he was improving Armitage,
[06:40.890 --> 06:44.830]  and he just got better with it, and he started selling it as a product, because it was a good
[06:44.830 --> 06:51.850]  idea. You know, we disable the antivirus, infect the networking hardware, you know,
[06:51.850 --> 06:58.210]  the Palo Alto, their switches, their firewalls. We have access to it all. So, we just go to town.
[06:58.970 --> 07:02.830]  You know, we have full access to practically everything. We have the domain admin password,
[07:02.830 --> 07:08.370]  so we just start deploying everything that we have in our arsenal. So, if you think of every
[07:08.370 --> 07:14.170]  single piece of kit that you can deploy against what you have as domain admin for persistence,
[07:14.170 --> 07:21.390]  we generally do it, right? We have a team of about 15. We're having to manage, I think it was
[07:21.390 --> 07:26.610]  10 teams last year. So, we do have to kind of, it really is a high workload. That's why there's
[07:27.310 --> 07:33.570]  a lot of grouping and stuff like that in Cobalt, is because we have to do it on a per team basis.
[07:33.570 --> 07:41.010]  We have to score per team. I personally like doing Linux backdoors, because I'm a Linux nerd.
[07:41.010 --> 07:50.510]  I do all kinds of footsie things. For instance, you know, PAM backdoors and things of that sort.
[07:50.510 --> 07:58.330]  We'll cover that here in a moment. But we try to keep low, and we watch as teams try to find us,
[07:58.330 --> 08:01.830]  right? Like, a lot of times, their services just go down, because they're just breaking
[08:01.830 --> 08:10.370]  it for themselves, right? Like, we're just persisting. So, what we'll do is steal some
[08:10.370 --> 08:18.510]  passwords. The Cobalt strike key logger is amazing for this. We will steal some SSH keys,
[08:18.510 --> 08:24.490]  AWS keys, if they're doing cloud that year. They love just leaving them on their Linux boxes,
[08:24.490 --> 08:32.270]  right? Who else are gonna put it? We'll reinfect using where we can. Some of the common backdoors
[08:32.270 --> 08:37.650]  that we use, we have an IIS backdoor that was written. I don't think it's publicly released,
[08:37.650 --> 08:46.730]  but it is signed. Using unleaked certificates, whenever he actually had a code signing cert,
[08:46.730 --> 08:51.830]  but they wouldn't renew it on them this year. Some PAM SSH backdoors, we've been using that
[08:51.830 --> 08:56.990]  thing forever. Still get students, we can just log in with whatever password we want as root.
[08:57.790 --> 09:03.950]  Bash backdoors, these are my specialty. I've actually recompiled bash for systems and placed
[09:03.950 --> 09:11.390]  backdoors. Run an extra curl command and pipe that into whatever. I've also been doing DNS
[09:11.390 --> 09:18.090]  backdoors that way. There's an environmental variable that you can set. I can't remember
[09:18.090 --> 09:24.390]  right offhand, but there's an environmental variable that you can set where it's a callback.
[09:24.390 --> 09:28.350]  It's supposed to be the missing command callback or just a command callback, and it will run it
[09:28.350 --> 09:33.970]  after every successful command. So you just run that every time, right? You set it in the ETC
[09:33.970 --> 09:42.610]  profile. Nobody ever looks at their environmental variables for compromises, right? Not for two
[09:42.610 --> 09:50.510]  years at least. We were piping dig directly into bash for that. We're doing TXT records and just
[09:50.510 --> 09:55.290]  shoving shell in there and waiting for them to show up on their firewall. It wasn't like we're
[09:55.290 --> 10:01.590]  encrypting it or anything. A lot of these times we'll have monitoring in place like Splunk,
[10:01.590 --> 10:08.570]  and we'll just backdoor it. We had a guy who we call our Splunk nerd, and he has a custom
[10:08.570 --> 10:16.870]  application that he'll attach to their Splunk instance. And what he'll do is then it'll become
[10:16.870 --> 10:24.010]  his managed instance. So they're all kind of upstream to a centralized orchestra system,
[10:24.010 --> 10:29.290]  and he just manages everybody's Splunk forum. So he can do deployment payloads that way. Most
[10:29.290 --> 10:38.290]  team members don't notice that this is happening. It's very, very stealthy, and it's great. From
[10:38.290 --> 10:41.550]  what I understand, the code for it's relatively easy to implement. You could just take one of
[10:41.550 --> 10:47.210]  the sample applications and just have it be managed by something else. You're going to
[10:47.210 --> 10:52.130]  play payloads through it. Most of the time they don't notice it's happening, and you'll see that
[10:52.130 --> 10:58.770]  in some of the screenshots as well, that it's coming down through Splunk. We'll backdoor the
[10:58.770 --> 11:04.050]  Palo Alto, put our own accounts in. There's certain hacks that particularly happen with
[11:04.050 --> 11:10.270]  some of the web interface. They'll add little JavaScript snippets that report home. A lot of
[11:10.270 --> 11:14.070]  times these get blocked because they're just blocking all HTTP traffic at this point, but
[11:14.070 --> 11:21.090]  we'll actually inject custom theming where it'll send... when they change the password
[11:21.090 --> 11:28.630]  to the web interface, it sends it back to us. I have a thing where I'll backdoor all the
[11:28.630 --> 11:35.750]  else on a file system. I'll take BusyBox, full compile it, put the backdoor in there,
[11:35.750 --> 11:43.470]  just runs the command through DNS again. Compile it, link it all out into the Debian system real
[11:43.470 --> 11:47.990]  fast. Anytime they run an application at all, it gets compromised, and it links back to
[11:48.710 --> 11:54.630]  the BusyBox parameter. And I futz with their path a little bit, and I point it,
[11:54.630 --> 12:02.770]  I rearrange it so that it's in like user local bin is first, right? So you set that first,
[12:02.770 --> 12:08.770]  you throw BusyBox in there, they'll never find it. Nobody, whoever looks in user local bin,
[12:08.770 --> 12:19.490]  right? So we'll also do some tomfoolery. If we notice that they're trying to install
[12:20.250 --> 12:24.750]  detection tools, right, on Windows or Linux, especially on Linux, they'll try to compile
[12:24.750 --> 12:29.590]  stuff, we'll backdoor it. We have these CBackdoors that we just throw in any application
[12:30.470 --> 12:34.290]  offhand, and we'll just... you can find them on GitHub, they're everywhere. You throw them in
[12:34.290 --> 12:40.450]  there, and they compile it, and they run it. It's backdoored now. The rootkit-hunter is backdoored.
[12:42.230 --> 12:45.430]  Mind you, we only have two days, so we're just throwing anything that we can, it'll stick,
[12:45.430 --> 12:54.850]  right? So if we see somebody being clever, we'll just blue screen the box, right? Like,
[12:54.850 --> 12:58.770]  we're not going to deal with any of their shit. You know, they're trying to be clever,
[12:58.770 --> 13:06.050]  they're going through procmod and going, nope, and then crash the box, right? We'd rather just
[13:06.050 --> 13:12.070]  crash the box before they get a hold of our loot. This is, you know, very rapid, you know,
[13:12.070 --> 13:17.790]  this happened over the course of a couple of hours. We'll spot the screenshots coming in.
[13:18.010 --> 13:24.370]  Through Cobalt Strike, we're like, well, he's up to no good. Eh, just crash the box.
[13:24.970 --> 13:28.750]  We'll reboot it, that'll be fine, but maybe put some dancing bananas on the screen.
[13:28.770 --> 13:35.270]  We'll get later to that. Sometimes we like to do annoyance. A lot of annoyance really kind of
[13:35.270 --> 13:40.710]  annoys some of the teams. Like, there's some teams that really like to use tmux, and we'll
[13:40.710 --> 13:47.670]  replace it with screen. You can't run tmux. Oh, but if you try to run screen, it just devurandoms
[13:47.670 --> 13:53.470]  your terminal. But if you try to run ematics, it'll actually open vim, and if you try to open
[13:53.470 --> 14:00.490]  vim, it opens up nano, which is super fun. They really hate that when you do that to somebody
[14:00.490 --> 14:05.010]  who's trying to remediate a box, and his commands keep changing out underneath them.
[14:05.810 --> 14:09.950]  And they're trying to figure out, how are you in the box? You're not even showing up. Well,
[14:09.950 --> 14:14.510]  we have a tty in there through Metasploit or something like that, and we're just screwing
[14:14.510 --> 14:20.930]  with you. Automation is key, though, right? If you're popping this many boxes, we're having
[14:20.930 --> 14:27.590]  to handle over 100 boxes. Automation is key until you start noticing somebody trying to be clever,
[14:27.590 --> 14:35.430]  and you go and futz with them for a couple of minutes. We'll reconfigure their DNS
[14:36.390 --> 14:42.370]  to make them distracted. We'll just drop their DNS into a black hole. Our beacons still work,
[14:42.370 --> 14:47.610]  but their DNS doesn't, right? They'll be pointing to our DNS servers, which drop everything but our
[14:47.610 --> 14:55.410]  beacons. We've screwed up a couple of teams doing that. That was super fun. Reconfigure
[14:55.410 --> 14:59.670]  the Palo Alto right underneath them, right? They keep adding a block rule,
[14:59.670 --> 15:05.510]  we'll drop that block rule. Or we'll reconfigure that block rule where it doesn't work.
[15:05.730 --> 15:09.450]  The order is out of place, and the allow rule is just stuck up there,
[15:09.450 --> 15:13.230]  and all the block rules don't work. You know, order of operations.
[15:15.150 --> 15:21.630]  And we'll reconfigure services to bring them down, right? That's part of the scoring. You know,
[15:21.630 --> 15:26.950]  we don't have a particular score ourselves, but we want to make them score as least as they can
[15:26.950 --> 15:34.310]  for all the teams. So we'll deface webpages, we'll deface their backgrounds, we'll deface
[15:34.310 --> 15:43.210]  services, anything that we can get a hold of. Most services are scored with ping,
[15:43.210 --> 15:49.110]  so if it doesn't match a checksum, then it's considered down, and we'll deface them,
[15:49.110 --> 15:55.190]  bring them down. My personal favorite was uninstalling Nginx and replacing it with Apache,
[15:55.690 --> 16:01.750]  kind of configuring it right, and then just leaving it half broken and letting them to fix it.
[16:01.810 --> 16:10.790]  So, I mean, you know, trying to get as much time as you can to leave your main beacons alone,
[16:10.790 --> 16:17.430]  have them misdirected, right? You want them to kind of focus on the craziness that is happening.
[16:19.690 --> 16:27.590]  So, this is going faster than I expected, but hey, that's working. So day two is when the fun
[16:27.590 --> 16:33.090]  really starts, right? Because we don't really want to blow up their boxes on the first day,
[16:33.090 --> 16:38.850]  but we do want to do it on day two. So we install the new backdoors, anything that we cooked up
[16:38.850 --> 16:45.630]  overnight, because we don't sleep, right? That's what caffeine's for. And then we just activate
[16:45.630 --> 16:50.950]  all my prank scripts. I started doing that when I first joined. I just had some on hand.
[16:52.910 --> 16:56.650]  Rotate their screen. We'll see some of these, by the way. I got a little treat for you.
[16:56.830 --> 17:02.530]  Rotate the screen by 90 degrees every 30 seconds. Makes it really hard to admin a box.
[17:03.430 --> 17:07.610]  Dancing bananas all over the screen. It's actually a fork bomb I written. You can see an example of
[17:07.610 --> 17:12.010]  that in the bottom right-hand corner. Them trying to kill it and it's not working.
[17:13.550 --> 17:19.810]  500% sized mouse. Super funny when it happens. They can't really use the mouse because it's
[17:19.810 --> 17:28.830]  slightly broken, but it's good fun. Bad keyboard inputs. You know, now they're DORVAC. Good luck.
[17:28.830 --> 17:33.490]  You can't change it now, by the way. We've disallowed administrators from changing that
[17:33.490 --> 17:38.650]  registry key. You're going to have to change the ACL on that. Sorry. You're going to have to go
[17:38.650 --> 17:46.710]  find it. ACLs are very powerful in Windows for registry keys. You can set some insanity in there
[17:47.350 --> 17:54.290]  and make it where they can't remove your shit unless they actually go in and rip those ACLs out,
[17:54.290 --> 18:01.490]  right? So, if you had, like, I had one where it was part of the banana script, actually,
[18:02.150 --> 18:07.330]  there's a list of process image names. It's the debugger key. Go look up the image name
[18:07.330 --> 18:14.830]  debugger key and you can do some really backdoor shit. And it just will run programs. It'll say
[18:14.830 --> 18:19.110]  program not found or my particular instance, every time you run the program, it would just spawn a
[18:19.110 --> 18:26.570]  new banana. Task manager, ProcMon, a lot of the AV software that they were trying to run
[18:26.570 --> 18:31.150]  would kind of be dynamic with it, you know? So, you know, we kind of work with it.
[18:31.490 --> 18:38.810]  And generally, it was kind of a dynamic environment on day two trying to really screw
[18:38.810 --> 18:42.710]  with them because they had a lot to think about, right? Like, they're really trying to keep their
[18:42.710 --> 18:48.150]  services up from us because, you know, they have 15 people going on and they're just, you know,
[18:48.150 --> 18:55.770]  they're a team of eight. Later on in the day, we'll really start screwing with services,
[18:55.770 --> 18:59.890]  memes, you know, defacing backgrounds, things like that, really let them know that we're home.
[19:01.490 --> 19:07.190]  Deleting files, programs, changing passwords, right? We'll delete files underneath them. We'll,
[19:07.190 --> 19:14.050]  when they're writing a report, we'll just delete it right there in front of them.
[19:14.470 --> 19:23.070]  We're so mean. But that's what makes this so much fun. You gotta try something. So, we'll
[19:23.070 --> 19:29.670]  delete stuff they're writing. They're drawing something in MS Paint. We'll draw something for
[19:29.670 --> 19:35.630]  them and they freak out because we're controlling their computer. We'll start Googling things for
[19:35.630 --> 19:39.930]  them on their own computer. That's super fun, you know, brick rolling them, things like that,
[19:39.930 --> 19:44.150]  you know, just opening up URLs, sending them helpful messages, offering help.
[19:45.470 --> 19:51.390]  Ransoming the domain controller for donuts. It was the funnest thing we've done. We did that a
[19:51.390 --> 19:55.490]  couple of times where we would ransom a service and we'd want donuts and they would have to go
[19:55.490 --> 20:04.610]  and hunt down donuts or other various things for us. We had a dance-off to get your domain
[20:04.610 --> 20:14.950]  controller back after we'd pwned like six of them. The Air Force won. So, as you can see,
[20:14.950 --> 20:21.950]  this is the most fun you'll ever have as Red Team. Ever. Two days of packed full of craziness.
[20:21.950 --> 20:26.790]  But it gets better. So, after we've done all the shenanigans,
[20:26.790 --> 20:31.850]  there's a slight story here. So, if you look on the very, very bottom there,
[20:31.850 --> 20:38.830]  there is a search warrant. We had one year, the local police department decided that they were
[20:38.830 --> 20:44.050]  going to help out and we asked them, hey, you want to do a no-knock raid on some of the students'
[20:44.050 --> 20:50.010]  rooms? So, we coordinated that with them and they did it for all the teams. They raided and took
[20:50.010 --> 20:57.730]  their domain controller. Just stole it. Came in there, looking all official, scared the crap out
[20:57.730 --> 21:04.910]  of most of them. It was great, though. It was hilarious the whole time. There is some video
[21:04.910 --> 21:11.810]  of this I will show you later. But shenanigans. Lots and lots of shenanigans. The most shenanigans
[21:11.810 --> 21:22.930]  you will ever have being a Red Teamer. So, the burn. This is the last hour. We're nuking the
[21:22.930 --> 21:31.710]  disks. You can see here we're doing RMRF, no preserve route. Screw the disk. Blue screen the
[21:31.710 --> 21:38.190]  boxes. Delete the AWS account. It doesn't like when you do that, by the way. Nine cat the boot
[21:38.190 --> 21:44.790]  loaders. Anything we can do to destroy their systems. Anything we have access to left is
[21:44.790 --> 21:57.650]  destroyed. Nuclear, right? So, after all of this is, you know, done, we tell them what we did,
[21:57.650 --> 22:04.630]  right? We actually sit down with them, with every team, and say, well, okay, so you're team seven.
[22:05.270 --> 22:10.690]  You kept giving us your password to the key loggers. You never found the PAM backdoor,
[22:10.690 --> 22:15.010]  right? It's here. It's here every year. We told you this last year.
[22:16.990 --> 22:24.010]  You know, you didn't block us, right? Were you checking for DNS traffic? Or were you too busy
[22:24.010 --> 22:29.370]  doing injects? Or did your firewall guy not look because it was a new guy? Did he not check for
[22:29.370 --> 22:33.870]  DNS traffic? Did he not check for IMCP traffic? Things of that sort. We would sit down with them
[22:33.870 --> 22:39.410]  and tell them what they did wrong. A lot of it was they just weren't looking.
[22:40.970 --> 22:45.270]  You know, anybody with Wireshark and a mirror port can really see us. Like,
[22:45.270 --> 22:51.670]  when 90% of the traffic coming out of your box is DNS, and it's like gigs of it,
[22:51.670 --> 22:58.290]  you have a problem. And a lot of times they just don't block it. I always said,
[22:58.290 --> 23:02.190]  if you had a good firewall guy, somebody who had Wireshark open, mirror port,
[23:02.190 --> 23:07.090]  just streaming logs, right? Maybe booted off of Live CD or something.
[23:07.530 --> 23:14.550]  That they'd be able to find us, right? We're very noisy, right? Maybe this is long-term beacons.
[23:15.290 --> 23:19.370]  Maybe not, but you just do standard incident response. And you know,
[23:19.370 --> 23:24.090]  most of our stuff is detected, right? Cobalt strikes, super detectable.
[23:24.270 --> 23:29.350]  You know, you open up ProcMod and you see the crap that's going on, and alas, right?
[23:30.570 --> 23:37.550]  Kick us out as fast as you can, right? Even if you bring services down in incident response,
[23:37.550 --> 23:41.670]  mind you, this is a compressed time frame. And this kind of goes for most incident response,
[23:41.670 --> 23:48.510]  right? Don't be afraid to turn off the network. I mean, even if it's just, you know, 10 minutes,
[23:48.510 --> 23:54.150]  right, to get your bearings and start looking at traffic, you know, hands off keyboard,
[23:54.150 --> 23:59.330]  plug the Ethernet back in, see what's happening, right? See what's talking.
[24:01.250 --> 24:05.490]  Track those traces down, kick us out, because if we kick us out, we can't get back in. If we don't
[24:05.490 --> 24:10.310]  have your passwords, we don't have any beacons, we're not getting back in, right? Like, we have
[24:10.310 --> 24:16.030]  some of the backdoors, and sometimes they stay, but a lot of the older ones, you know, they're
[24:16.030 --> 24:21.870]  all picked up by AV nowadays. So, but a lot of it is they just haven't had a lot of experience
[24:22.630 --> 24:27.750]  with dealing with these computers and dealing with systems like this, right? Like, they're in
[24:27.910 --> 24:32.770]  a system administration role trying to do security, and all they've been taught is security.
[24:34.550 --> 24:39.930]  So, and they kind of treat the operating system as hostile. They're not doing that most of the
[24:39.930 --> 24:45.690]  time, right? They trust in the permission. They trust in the files they're leaving on the system.
[24:45.690 --> 24:49.830]  They're trusting their backups. We've infected the backups. We've done that. They're going to
[24:49.830 --> 24:55.570]  restore from a backup, and we'll reinfect them again, because it's an old password. And we always
[24:55.570 --> 25:05.610]  try the old passwords, right? Like, this is how it works. So, you know, mostly it's just trying to
[25:05.610 --> 25:10.710]  get the air out about what we're doing, right? It's really easy to spot us once you know what
[25:10.710 --> 25:19.810]  we're doing, because we're up to all kinds of shenanigans. And so, it's not, it's not,
[25:20.310 --> 25:25.190]  most of this stuff is just a grab bag of anything that we can find off of GitHub, for the most part.
[25:25.190 --> 25:31.350]  I mean, Cobalt Strikes really nice. We do write some shenanigans for some of the scripts, but
[25:31.970 --> 25:37.410]  really, though, we're not doing anything particularly special. But year after year,
[25:37.410 --> 25:41.930]  and we have students, we have teams, we have teams that are amazing at this, right?
[25:42.690 --> 25:49.590]  They'll kick us out in 15 minutes, and maybe we'll get back in second day, right? Maybe they'll
[25:49.590 --> 25:54.450]  file for a phishing email. We've had that happen once. Or we'll steal something from their room.
[25:55.630 --> 26:00.790]  They're supposed to, there's physical security kind, kind of involved. We keep it, you know,
[26:00.790 --> 26:06.770]  we don't do it that much, but we'll steal a laptop, or, you know, or, you know, give it
[26:06.770 --> 26:12.750]  back to them with, put SXP on it, and expect them to use it, because there was a service on it.
[26:15.270 --> 26:21.470]  So, I have videos I'm going to show you. I'm going to talk over them. I'm not going to play
[26:21.470 --> 26:27.630]  the terrible music that's on them. Both of these are on YouTube. You can look up NECCDC,
[26:27.630 --> 26:33.150]  and you can find all of our previous year's videos, right? They're not very long. And they
[26:33.150 --> 26:38.090]  really showcase some of the payloads that we're getting back, right? In a lot better way than I
[26:38.090 --> 26:48.310]  can show. So, I'm going to play number one here. So, this is from 2019. I'm going to,
[26:48.310 --> 26:55.410]  just a smidgen ahead here. So, we have backdoored their Wi-Fi router. It was,
[26:55.410 --> 27:02.950]  we just get a custom update server. Here, they're Googling how to do security,
[27:02.950 --> 27:08.710]  you know, Wi-Fi passwords. So, we get a little bit of a backdoor stream from white team,
[27:08.710 --> 27:14.170]  and they'll post in the Slack some of the things that they find from us. But, ah, red team,
[27:14.170 --> 27:28.040]  you know, passwords to the key loggers. And you can see, you know, we really,
[27:28.040 --> 27:32.020]  it's just password discipline is so terrible with these people sometimes.
[27:33.580 --> 27:38.180]  Um, you know, they're trying to track us down in ProcMon and
[27:41.100 --> 27:44.060]  managementcorp.beaver. I don't think it's supposed to be that.
[27:45.220 --> 27:53.960]  You know, we're futzing with their DNS. You know, changing their administrative passwords,
[27:53.960 --> 27:59.740]  because if they don't know it, might as well rerun it. King Size Mouse just ran on a couple
[27:59.740 --> 28:02.960]  of machines. You can see it here in action in Cobalt Strike.
[28:04.340 --> 28:08.320]  Makes the machine very hard to use, but you can get rid of it.
[28:10.900 --> 28:17.080]  They're trying to figure out why their DNS has been changed to another server, because it's ours now.
[28:23.480 --> 28:30.920]  Yeah, we were dropping some rickrolls on them several times. A lot of kids, they just don't,
[28:30.920 --> 28:37.860]  they just don't know the memes. Uh, yeah, we did that a couple of times. We'll change out the
[28:37.860 --> 28:43.020]  Wi-Fi password, uh, the Wi-Fi AP to what their, what their password was. Just, just to show we
[28:43.020 --> 28:51.070]  care. That's our little Wi-Fi. So we were, we had a backdoor, but they had to keep Wi-Fi up.
[28:51.170 --> 28:55.250]  And so we had a little Wi-Fi router up that we were actually using as a backdoor.
[28:55.250 --> 29:02.440]  We were getting all the teams with it. You know, making some puns and jokes and things of that
[29:02.440 --> 29:11.320]  sort. We, we did it a lot. Um, uh, sometimes they'll accidentally paste the password into the
[29:11.320 --> 29:18.020]  Slack. Don't do that. Um, there's bunkers being managed by red team. That's a pretty common
[29:18.020 --> 29:29.230]  problem. This is all set to terrible music that I'd rather not play. Um,
[29:29.230 --> 29:33.930]  I'm trying to install security essentials. Are they not teaching them what accounts as
[29:33.930 --> 29:40.650]  antivirus on windows nowadays? Uh, APG does not work on windows server. Sorry.
[29:41.670 --> 29:47.650]  Uh, you really should turn that on and setting your password is not going to do any good if
[29:47.650 --> 29:57.290]  we have a key logger on the box, right? Um, we'll send them helpful messages, you know,
[29:57.290 --> 30:02.150]  to annoy them that we see them that they're editing their firewall. It's not doing any good.
[30:03.070 --> 30:11.250]  Um, more passwords, of course, uh, really the key logger is a key lockers are so old school,
[30:11.250 --> 30:16.730]  right? Like, Oh, who installs a key logger? But they just give every time really looking
[30:16.730 --> 30:22.070]  to install them key loggers. If you're popping a box, more dancing, bananas, shenanigans,
[30:22.070 --> 30:28.290]  as usual. Uh, I always like to drop them on boxes that we kind of have access to that haven't done
[30:28.290 --> 30:33.010]  anything on it in a while. Um, or just to show us the proof that we're, we're in their box,
[30:33.010 --> 30:38.710]  right? We want to give them that little tickler that, uh, we're still fussing with their systems.
[30:39.350 --> 30:45.210]  Uh, they'd try killing it, but each banana is a separate process. So if they don't know how
[30:45.210 --> 30:52.670]  to mass kill stuff, then Malwarebytes ain't going to help you. Uh, you can see here they're,
[30:52.670 --> 30:58.330]  they're actively being ran. Mind you, these, these recap videos are made like an hour before
[30:58.330 --> 31:07.690]  the competition ends. So they're made in a rush. Uh, more helpful messages of banana man. They
[31:07.690 --> 31:12.750]  weren't killing them fast enough. So I just kept spawning more of them just to annoy them.
[31:13.650 --> 31:24.410]  Um, banana itself, it's not backdoored. Uh, it does change some, um, uh, yes. Yeah. So this is,
[31:24.410 --> 31:30.010]  this is it rotating by 90 degrees every 30 seconds. And we actually got video from one
[31:30.010 --> 31:38.130]  of the white team, these ultra wide monitors making it super stupid. Um, it's just, you know,
[31:38.130 --> 31:43.150]  it works fine now, but give it 30 seconds and it won't. Uh, they're trying to figure out how
[31:43.150 --> 31:47.690]  to kill it. And I'm playing yackety sax over there, over there, uh, audio at the same time.
[31:47.690 --> 31:54.570]  They still haven't closed it. Uh, we do this to all the teams. This is the one we got video of.
[31:57.330 --> 32:06.570]  And so this cracks me up every time I watch it. Um, you know, we give them some encouragement.
[32:06.570 --> 32:14.490]  They get demoralized very quickly. Um, but, uh, we'll actually back off of people that we have
[32:14.490 --> 32:19.950]  access to towards the end there. Uh, mostly because, you know, kicking the puppy while it's
[32:19.950 --> 32:26.510]  down. We don't like to do that too terribly much, but you know, bananas on, on write-ups
[32:26.510 --> 32:34.030]  is super great. Oh yeah. Nothing's infected. Bananas everywhere. Um, they write on the board.
[32:34.030 --> 32:37.870]  Sometimes we'll, we'll steal passwords off the whiteboards. We'll, we'll take photos from
[32:37.870 --> 32:45.330]  cracks in the walls and stuff. Uh, more bananas. Uh, I have one that'll just fork bomb a machine
[32:45.330 --> 32:52.350]  to the point where it just won't run anymore. Um, a team challenged us saying, Hey, we don't
[32:52.350 --> 32:58.850]  have any bananas on ours. Yeah. Give it 10 minutes. Um, yeah, you really shouldn't be
[32:58.850 --> 33:05.570]  killing SVC hosts. Uh, they had sign-in cheats and we did actually sign in as red team and
[33:05.570 --> 33:14.630]  nobody checked. Um, they're trying to run Clam AV on the box and that's not going to do any good.
[33:14.630 --> 33:21.210]  The definitions are too old. These are examples of some of the injects. Um, some of it is quite
[33:21.210 --> 33:26.050]  going fast, but, uh, you know, more, more words of encouragement.
[33:28.250 --> 33:31.970]  I think at this particular point, right, they got so much stuff running that it's,
[33:31.970 --> 33:35.670]  it's starting to bog down their boxes, but you know, they'll give us keys and
[33:36.630 --> 33:43.570]  really we're just Googling stuff better than them. Uh, we're, we're letting, you know,
[33:43.570 --> 33:47.530]  them know that their, their boxes still pops. There's really the WAP. That's what they had
[33:47.530 --> 33:56.310]  in the rooms. One of the teams did that. Um, yeah, so we stole the laptops and we gave them
[33:56.310 --> 34:02.310]  Windows XP. It was great. We put all of our malware on it too. And, uh, we stole it without
[34:02.310 --> 34:07.430]  them knowing. It was great. All the teams did not notice that we had stolen their laptop
[34:08.070 --> 34:13.090]  and we just gave it back to them. Uh, some encouragement from remote tech support.
[34:13.650 --> 34:20.490]  Um, so this one, so they're doing some role-playing here. So this guy is yelling at them.
[34:20.650 --> 34:24.250]  If you watch this video on YouTube, it's a little bit better, but this guy's yelling at him. Like,
[34:24.250 --> 34:29.890]  well, why did he steal the laptop? Didn't you like record it down? Like, who was this person?
[34:30.590 --> 34:36.630]  And, and like, well, I mean, you know, the student doesn't know what the hell's going on at this
[34:36.630 --> 34:40.710]  point, right? Like he doesn't know how to respond. So the students are given real world scenarios
[34:40.710 --> 34:48.390]  like, well, what the fuck? Why did the laptop walk off? Right. So he's trying to explain to
[34:48.390 --> 34:54.330]  himself and it's, it's, it's, it's not very good. He's trying to figure out, well, did they just
[34:54.330 --> 34:59.950]  steal it from underneath your keyboard? Like, how did this work? Why did you give him the laptop?
[35:01.790 --> 35:05.710]  And why is he playing Tetris? Tetris is his boot letter.
[35:09.750 --> 35:15.590]  So that happens so many times, right? We, we hardly get to see that as red team, but here's
[35:15.590 --> 35:21.110]  us imaging them all. Somebody actually had an image for this laptop for Windows XP,
[35:21.110 --> 35:28.270]  and they just downloaded it from work. And we kept, we were getting beacons off of them.
[35:32.390 --> 35:37.310]  So we, this is some of the searches and typings that's coming in while we still have beacons for
[35:37.310 --> 35:44.670]  days. Bad passwords. At this point, they've changed their password six, seven, eight times,
[35:44.670 --> 35:51.150]  and they're just done, right? Like, oh, he, we, we, we made good friends with him. He's
[35:51.150 --> 35:57.610]  going to pwn his own box, but unfortunately the beacon had disconnected. So, but he was
[35:57.610 --> 36:01.590]  one of the team members. He, he'd wanted to dance off to get his domain controller back.
[36:02.190 --> 36:05.190]  So it's like, here, you can pwn your domain controller again.
[36:10.260 --> 36:14.120]  They had sign-in sheets. We were signing in with anything and everything under the sun,
[36:14.120 --> 36:19.160]  and nobody was checking in when they should have been. They got scored against that too.
[36:20.520 --> 36:30.300]  We're starting to delete things now, and it's just out of control at this point, right? So,
[36:30.300 --> 36:35.180]  you know, a CEO is asking, why are you playing Tetris? We still run gateways. I thought we all
[36:35.180 --> 36:40.320]  had Dells because their gateway was down. They didn't have internet because we nuked the Palo
[36:40.320 --> 36:50.440]  Alto. More bananas just because wall messages back and forth, you know, chatting with the teammates
[36:50.440 --> 36:56.380]  going, you know, can we pop, can we pop your box? As always, women are technical and capable of
[36:56.380 --> 37:08.230]  breathing fire. Definitely so. So this one's where, you know, the network's down and he's
[37:08.230 --> 37:16.190]  losing money. And he's yelling at the teammates going, well, what's going on? Like, I'm not going
[37:16.190 --> 37:22.570]  to sell the other house in the Hamptons. I'm going to fire you first. Classic CEO speak,
[37:22.570 --> 37:28.430]  and he just walks out. We saw Mr. Dino a lot of times. You'll still have beacons.
[37:28.430 --> 37:35.970]  This is the group shot. This is all the red team for 2019. You can see me there in the corner,
[37:35.970 --> 37:41.070]  Mudge in the center, you know, I don't remember half these people's names at this particular
[37:41.070 --> 37:45.350]  point. We don't meet that often, but I have a mug with all their names on it, though.
[37:45.830 --> 37:51.530]  Daryl's on the left there, but this is who they have to defend themselves against, right? They're
[37:51.530 --> 37:58.350]  Silas. He used to work at VirusTotal. He would weaponize malware that he would get
[37:58.350 --> 38:06.190]  from Google and VirusTotal and stick it on students. That madman! He would neuter it,
[38:06.190 --> 38:11.870]  right? There was an incident, but he would neuter it and repurpose it for students,
[38:11.870 --> 38:15.790]  so he would actually infect them with malware, just the beacons were going back to him instead.
[38:16.610 --> 38:23.610]  Crazy, crazy fellow. Most of these guys are networking engineers. Most of them aren't
[38:23.610 --> 38:28.750]  even Red Team. They aren't like, this is what they do as Red Team. They're more dangerous
[38:28.750 --> 38:35.150]  because they're in the field every day, right? They're networking engineers, Splunk engineers,
[38:35.690 --> 38:43.370]  but they know the full depth of those applications. They know what they can do,
[38:43.370 --> 38:47.710]  and then you take that and twist it. That's what I think is fundamental to being a Red Teamer,
[38:47.710 --> 38:52.090]  right? You know how that stuff's supposed to work, and then you twist it to your needs,
[38:52.090 --> 38:59.990]  your evil, evil needs to do what you needed to do, right? You have much more scope availability.
[38:59.990 --> 39:04.890]  You have the ability to hide better if you know more about what you're dealing with,
[39:04.890 --> 39:10.990]  especially with applications. Well, I've just talked about Neroff. We'll go ahead and go on
[39:10.990 --> 39:19.910]  to the second video here. Skip ahead a little. This is from 2018. More shenanigans, you know,
[39:19.910 --> 39:29.910]  giving us their keys for AWS. Yes, we would persist with a team name called White Team on the box.
[39:32.670 --> 39:36.530]  They had to go in through the serial console that year. They really didn't understand what was going
[39:36.530 --> 39:46.370]  on. They didn't know it was serial. I think they were trying to screw with each other,
[39:46.370 --> 39:52.790]  allowing us to say traffic's always a bad idea. These are, by the way, generally very flat
[39:52.790 --> 39:58.530]  networks. You know, us and our Spunk admin going, hey, do you need to get your Spunk working?
[40:01.450 --> 40:07.810]  Yes, we've done that. We've installed Linux on a box. You know, always check your agent names.
[40:08.330 --> 40:13.170]  We're always changing your passwords for you because you should be changing them often,
[40:13.170 --> 40:18.250]  and if you're not, we're going to. We'll wipe your backups always. That's just what we do.
[40:20.070 --> 40:23.410]  PowerShell is in great gasps of what we do as well.
[40:25.170 --> 40:32.090]  No, you can't get rid of DNS. That's just terrible. More keys. That's our key added in.
[40:33.430 --> 40:39.890]  Us taking surveillance photos of passwords on the whiteboard. That's not a good place to put them.
[40:39.890 --> 40:46.290]  Docker should not be running on your laptop. This is kind of what our desktop would look like,
[40:46.290 --> 40:53.010]  right, because we have all the teams open. Somebody futzing with the Palo Alto, at least trying to.
[40:53.990 --> 41:04.530]  Mudge sending beacons down. This is just, you know, SSH keys being sent in. Me playing annoying
[41:04.530 --> 41:10.930]  noises because they had all in ones and I couldn't turn off the speakers. Oh, that was great.
[41:13.630 --> 41:20.270]  We'll meme them up, change their logins to whatever we want. We'll change their
[41:20.270 --> 41:25.390]  MODT and they forget it's there and it's backdooring every time that MODT runs.
[41:29.550 --> 41:34.890]  We will sometimes, if you ask us to stop, sometimes we will, if you're nice to us,
[41:34.890 --> 41:38.310]  just let our beacons live and we'll stop messing with your box.
[41:39.530 --> 41:43.330]  That actually is probably pretty good advice to somebody who's actively in your network
[41:43.330 --> 41:47.270]  and you're trying to fight them, but really you should just be unplugging the internet.
[41:48.590 --> 41:54.770]  I played Tetris with, I attempted, and this is a really bad demo, but I attempted to play
[41:55.970 --> 42:03.130]  a Tetris with somebody over their own TMUX session while in front of them. So I'm actually
[42:03.130 --> 42:09.550]  attached to the TMUX session and I'm trying to get BSD games to work. But you know, if you've
[42:09.550 --> 42:16.130]  lived in Debian land, that's actually kind of hard, but I'm playing some Worm with them, at least
[42:16.130 --> 42:28.200]  trying to, well, attempting to. It's actually kind of a FUB. Why did I put that in here?
[42:28.720 --> 42:39.050]  Oh, well, there's their keys. But while I'm for various effects, you know, their AWS access keys,
[42:39.050 --> 42:44.270]  because they're leaving them in configs everywhere. Yes, it is our router.
[42:45.850 --> 42:49.250]  Some people don't know what CloudTrail is. It's great.
[42:50.130 --> 42:59.420]  Yes, the box is fucked. It is a technical term. That's always, always DNS's problem.
[43:00.020 --> 43:07.340]  Yes, we stole all your passwords. They Google weird shit all the time.
[43:07.340 --> 43:11.080]  One team decided to go this kind of advanced format for their passwords.
[43:13.220 --> 43:20.400]  They didn't know what echo is. We find that a lot. A lot of kids don't know what is going on.
[43:20.400 --> 43:28.480]  We'll send the messages to their Splunk. We'll actually interject bad Google results. We've
[43:28.480 --> 43:33.320]  actually had it where Google would redirect to Bing and it would be the third page of Bing and
[43:33.320 --> 43:40.460]  that's all they could access. This is beacons coming in from Splunk as they started to manage
[43:40.460 --> 43:50.590]  their system for them. Somebody trying to do some art because they were bored and they didn't have
[43:50.590 --> 43:58.310]  anything to do. We decided, I did at least, that I was going to make a little bit of fun.
[43:58.370 --> 44:04.390]  I printed out this stupid piece of paper that said, hey, you're trying to get into SSH. Would
[44:04.390 --> 44:08.930]  you like to try Telnet instead? Slipped it under everybody's door. We actually got them back,
[44:09.310 --> 44:13.490]  a couple of them. There's the search warrant. That was fun. There's Clippy.
[44:14.130 --> 44:19.050]  We got them back from a couple of teams. This is us ransomware-ing their team.
[44:21.770 --> 44:30.670]  Yes, that happens a lot now. This is great. We made them take this photo for us.
[44:30.670 --> 44:36.830]  And we made them apologize for trying to steal our firewall, which was their firewall,
[44:37.330 --> 44:42.970]  but it was really our firewall now. We gave them back their firewall eventually, but
[44:43.590 --> 44:53.650]  no, no guarantees there. Then we just start deleting stuff from them. It's the same stick
[44:53.650 --> 45:00.250]  every year, practically. I know running Docker, we'll have beacons inside of Docker and they'll
[45:00.250 --> 45:07.410]  never see them in there. We're starting to get beacons timing out now. Me DDing you random the
[45:07.410 --> 45:11.730]  TTY for shits, and that's always super fun when it goes beepy hell.
[45:17.520 --> 45:24.540]  Yep. And we're starting to delete sys32 now. Teams start usually playing music at this point
[45:24.540 --> 45:28.400]  because there's not a whole lot they can do because we're just starting to pop boxes now.
[45:30.540 --> 45:35.120]  Disable their internet, anything that we can do to destroy the box
[45:36.600 --> 45:39.080]  at this point. So you get the general idea.
[45:42.920 --> 45:47.660]  We start deleting all their AWS instances, which are scored, which has a bunch of stuff in it.
[45:48.060 --> 45:53.220]  Making sure to delete all the snapshots, all the beacons are dead. This is the write-up where they
[45:53.220 --> 46:02.760]  had to do the search and seizure. We'll actually kind of go back to that a little bit.
[46:03.320 --> 46:05.320]  This is us deleting sys32.
[46:07.560 --> 46:14.560]  And as such. So as you can see, we're up to all kinds of shenanigans.
[46:18.020 --> 46:21.540]  Obviously, we've had some disruptions this morning in numerous ways. Under my standing
[46:21.540 --> 46:25.640]  as law enforcement officer in the room, we collected some device or devices.
[46:25.760 --> 46:30.000]  This is obviously concerning to the executive staff as we need to talk and make sure we
[46:30.000 --> 46:35.300]  understand all the facts we know. This is the search and seizure.
[46:35.320 --> 46:38.520]  That was pretty good. We don't have any video of it, though. It wasn't recorded,
[46:38.520 --> 46:43.420]  because they just kind of surprised us on it. They even raided red team room at one point.
[46:44.860 --> 46:53.430]  So as you can see, we generally have our standard reams. This is just the northeast
[46:53.430 --> 47:04.560]  corridor, right? There's teams for every corridor. And yeah. So there's teams for every corridor.
[47:04.560 --> 47:09.260]  And then they go to nationals, and they fight there, and they have some real red teamers there,
[47:09.260 --> 47:14.140]  right? They'll actually bring out some stops. They have some amazing tools up there. A lot of
[47:14.140 --> 47:18.280]  them they don't release, and it's for good reason, because they're very dangerous, actually.
[47:18.760 --> 47:24.260]  And they're meant for only use in competitions. But you can find it, right? Now that you know
[47:24.260 --> 47:30.860]  this terminology, CCDC, start trying to find some of the red teamer tools out there. There's some
[47:30.860 --> 47:38.880]  amazing stuff out there. And we generally do tag it for CCDC. If you take a look here,
[47:38.880 --> 47:43.500]  I got some URLs for you. If you want to check some stuff out for the northeastern corridor,
[47:43.500 --> 47:51.280]  you could do NECCDL.org. If you want to check out the national competitions,
[47:51.880 --> 47:57.240]  you know, maybe even become a red teamer there, check out nationalCCDC.org.
[47:58.660 --> 48:02.580]  But overall, check your local colleges. You never know, they may want to participate in this,
[48:02.580 --> 48:06.240]  and they haven't had anybody to actually start a program there, right? Volunteer some time to
[48:06.240 --> 48:11.680]  start a program, get with a professor, something along those lines. See if they already participate.
[48:12.300 --> 48:17.620]  You can help them with training, become a red teamer for them, set up a scenario for them,
[48:17.620 --> 48:23.740]  let them attack you, attack them, that type of thing. It's good fun, and it allows you to kind
[48:23.740 --> 48:28.700]  of stretch your muscles as a red teamer without having to really worry about scope, right? Like,
[48:28.700 --> 48:34.480]  if you blow up a box, who cares, right? But as, like, normal red team, you know, if you're trying
[48:34.480 --> 48:40.360]  to do pen testing, you really can't just, like, destroy a box, right? You can't really simulate
[48:40.360 --> 48:46.320]  being a hacker, because you're really not going to, you know, delete the domain controller,
[48:46.320 --> 48:56.000]  you would. It's the best two days you could have, right? Just outright. It's the best two days you
[48:56.000 --> 49:02.420]  could possibly have. It allows you to test new tools and tactics in a controlled, wild environment.
[49:02.420 --> 49:07.180]  You can just let it loose and go to town. As long as it doesn't leave the network, they don't really
[49:07.180 --> 49:12.720]  care what it does. As long as it doesn't, like, make the box catch fire, like, literally catch
[49:12.720 --> 49:23.440]  fire. I think we had that one year. But, well, I've had my 50 minutes. Omar, you want to come on
[49:23.440 --> 49:23.980]  back?
